Scott McAuliffe
Risk Advisory Services Partner
The larger or more complex your enclave, the greater costs you will incur.
Accordingly, we approach scoping with an eye for compliance as well as opportunities to shrink your enclave.
en·clave – än-klāv : A set of system resources that operate in the same security
domain and that share the protection of a single, common, continuous security perimeter. – NIST
Prior to scoping, organizations should already have a target CMMC Maturity Level. Most organizations will start at either:
Determining your target maturity level is a management decision based upon:
We can assist in this process upon request.
Meet with stakeholders, review documentation (network diagrams, data flow diagrams, architecture documents, and more) to identify the assets in your assessment scope.
The CMMC Level 1 and Level 2 Scoping Guides together identify six Asset Categories: FCI Assets, CUI Assets, Security Protection Assets (SPA), Contractor Risk Managed (CRM) Assets, Specialized Assets, and Out-of-Scope Assets.
However, there are other ‘things’ that fall within the assessment scope. Namely people and facilities. For example, CMMC Awareness and Training (AT) practices require security awareness training delivered to people, and Physical Protection (PE) requires security in facilities.
Additionally, some of your assets may involve third parties with their own compliance requirements, such as cloud service providers (CSP) or other external service providers (ESP), like managed IT services.
In this step, we work with your team to identify your in-scope assets and classify them into an appropriate asset type. This is the foundation of the remainder of your scoping exercise.
Work with stakeholders to identify opportunities to minimize your scope.
Document asset applicability for each CMMC Practice.
Based on what we’ve learned by working with your team, we will document asset applicability conclusions for each in-scope asset for each practice. For any practice that does not apply to a particular practice, we will document the rationale. For example, requirements to escort visitors does not apply to a CUI processing engineering system.
Powered by our CMMC Compliance Tool
All scoping documentation is entered into our internally developed CMMC Compliance Tool – which is yours forever as a benefit of retaining us for any CMMC related service.
Even the simplest organizations will have THOUSANDS of CMMC compliance data points. To attempt to comply in any other than a data driven manner invites waste and error.
The tool is easily maintained in your own environment. It is your security data, and we believe you should have the right to keep it in your environment, forever.
From scoping to the creation of your SSP, the CMMC Compliance Tool tracks thousands of requirements, scoping decisions, and internal assignment of responsibility, evidence location, related status, and more.
Risk Advisory Services Partner
Risk Advisory Services Senior Manager